For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

cjunior_138458's avatar
cjunior_138458
Icon for Altostratus rankAltostratus
Mar 14, 2016

APM Auth Domain cookie

Hi folks,

 

Is there any way to setup an Auth Domain in APM with profile type as All?

 

I need to publish a portal access to more than one host in same domain.

 

I've been searching in devcentral and I saw that this option only works in profile as LTM+APM. Is this correct?

 

I've set the Domain Cookie as the domain name but it is not working.

 

BIG-IP v12.0

 

Any help I appreciate it.

 

application delivery
BIG-IP Access Policy Manager (APM)
LTM

3 Replies

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Mar 14, 2016

    Your question is not clear to me, but:

     

    1- The cookie-domain setting specifies the scope of the MRHSession cookie that's transmitted by APM to your client PCs for session tracking.

     

    2- If your client transmits the cookie back to APM (and the session is "within scope" -- see the session scope setting), then the HTTP request is associated with the user session.

     

    3- This setting is valid for all Access Profile types.

     

    That's the front-end. Now on the back-end, Portal Access uses the reverse proxy so that the hostname is more or less invisible to the client PC. It doesn't matter what that domain is. For more general information on use case types and how APM works, troubleshooting, etc, please see the "APM Operations Guide". That, along with some knowledge of Web browsers, HTTP, and cookies should give you a good understanding of the general operating principles.

     

    • Lucas_Thompson_'s avatar
      Lucas_Thompson_
      Historic F5 Account
      Mar 14, 2016
      to clarify this: In Point 1, by "scope" , I mean "domain scope" or just "cookie domain".
  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Mar 14, 2016

    First I thank you.

     

    I know that in version 12.0, we have to choose a scope for the policy. Thus, I tried all scope types Global, Virtual Server and Profile but I didn't have success with APM in profile type mode All.

     

    However, with this profile type as LTM-APM, the APM sessions persistence was kept and worked as expected. What I hope is that when domain cookie is set, it will keep the APM session alive where requesting hosts over the same VS and domain name.

     

    e.g.

     

    DNS: www.f5lab.netIN A 172.30.30.100

     

    DNS: services.f5lab.net IN A 172.30.30.100

     

    LTM my_vs: 172.30.30.100:443, Access profile: my_policy

     

    APM: my_policy, Type: All, Scope: Global

     

    Domain Mode: Single Domain

     

    Domain Cookie: .f5lab.net

     

    Expected:

     

    https://www.f5lab.net (requires authentication)

     

    https://services.f5lab.net (reuse previous authentication)

     

    I have done this in a version 11.6 and it works, but I had no lucky with v12.0.

     

    I know that the link below is not related about v12.0, but it seems to be the same issue. So I asked if it makes sense.

     

    https://devcentral.f5.com/questions/sso-auth-domains-not-maintaining-session